Slashdot Mirror
Is Your Banking Information Accidentally On Ebay?
GraWil writes "The Toronto Star is reporting how two Bank of Montreal computers containing thousands, of sensitive customer files were sold to a student who fixes up machines and then resells them on eBay. It seems that the company responsible for scrubbing the disks (Rider Computer Services Ltd.) misfiled the machines in their warehouse and it was assumed they had been erased." It's not the first time this sort of thing has happened.
There is: WIPE.
yeah -
a damn
shame.
would love to read the article... it timed out 10 times in a row... so I gave up and posted from what I read in the comments previousally.
/etc need to be beaten with sticks while having "never never never" screamed at them.
If it was servers, then the IT department, computer wiping service
Do not look at laser with remaining good eye.
You don't have to pay for Norton Wipeinfo if you're on Windows.
I'm told that both Scrub and Eraser are pretty good - although I haven't used them.
Both of which are free (in the "don't have to pay any money" sense)
Avantslash - View Slashdot cleanly on your mobile phone.
Er, they sent the systems to a company which was supposed to blank the disks but didn't. The data clearing company failed to do their job not the bank.
Most 2.5" HDDs plus 3.5" IBM Deskstars (and perhaps others) support ATAPI passwords. The password is written to the platter, and if it's there, the only thing the controller will respond to is the password. You can't talk to it at all in a system that doesn't know about ATAPI passwords. The only solution (that I know of) is to use a custom controller to access the platter, which is beyond the means of casual or even semi-pro Bad Men.
See this previous Ask Slashdot for more.
If you were blocking sigs, you wouldn't have to read this.
Well, a few years ago, a friend of mine bought a Maxtor hard disk brand new and found an installed copy of Windows ME on the drive when he hooked it up. It wasn't an OEM disk or anything refurbished. It was a brand new drive right out of the shrink wrap. Kinda makes you think.
The absolute main security issue was customer data. Not that they would have fancied embezzlement or theft but this was looked upon far less serious then compromising customer data, period.
In the data centers (which you had to physically access in order to query real customer data, safe for the front office and also there it was very restricted what you could look at) you had to go through multiple layers of security and where not permitted to even remove a printout.
Computers where dismanteled and disks shredded, they where never for resale. This was applicable for every last computer from every last branch and office
Now, I agree shit happens. Probably in their case it started with outsourcing such a critical tasks to "ACMEs chep disk blanking operation" in order to save a few bucks. This is not really excusable, but it happens.
But what really gets my blood boiling are statements like the one from that PR bimbo, which are just utter bullshit.
Maybe she should apply for a job at Microsoft to sell "trustworthy computing".
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
CBC Radio 1 had an interview with a security representative from the bank last night on As It Happens. An audio recording of the program is available here. (It's the ninth item of the programme.)
Great minds think alike; fools seldom differ.
Modern hard drives have commands "SECURITY ERASE" and "ENHANCED SECURITY ERASE". Search for those terms and hdparm on google. Also below is a link to the quality of the erasure. Note: these will erase even bad "mapped out" sectors. Enhanced erase will even go off track + and minus which erases the edges. atapwd.zip does regular erase (search).
E ra se%20Article%20for%20IDEMA,%20042502.pdf
http://www.tomcoughlin.com/Techpapers/Secure%20
He paid $400 each for two powerful IBM Netfinity servers that would have cost about $5,000 new.
kinda sounds like severs to me, IT fucked up by alowing them out the door un-shredded whether it was policy or not.
Apocalypse Cancelled, Sorry, No Ticket Refunds
It's a shame that there isn't a Linux program that does something similar.
Others have mentioned specific utilities, but with almost any bootable CDROM Linux variant you can wipe a disk pretty throroughly as follows. This is for when you're retiring a system and want to overwrite the entire disk, not scrubbing free space on a live system:
This will write pseudo-random data over the hard drive 10 times. To make it happen more times, change '10' to 'N' where N is larger than 10 in the 'seq' command. To use true random data rather than pseudo-random, use /dev/random, but realize it may hang waiting to gain more entropy and, for this use, I'm not sure there is any real advantage in true randomness.
You can also use 'dd' on a live system, writing to a file instead of a partition, and fill up free space on that partition (then delete the file!). This will overwrite data from deleted files, but will not get slack space, which is the particular advantage of using the 'wipe' tool that someone else mentioned. Also, remember only root can fill the filesystem; everyone else gets cut off with some small % free.
Windows users should also realize that with Windows 2000 (um, SP3 I think) and above the EFS tool 'cipher' will allow you to wipe unused disk space, so that you can proactively make sure that deleted files aren't hanging around on disk. This is useful if you want to make sure old files don't accumulate on the hard drive of a working system, especially physically insecure laptops etc. etc. It presumes the NTFS file system, of course.
will overwrite the free space on the C: partition with 0s, then 1s, then random data. I'm not sure if it gets slack space.
Of course, a very slim possibility remains that sophisticated and expensive physical analysis will still recover data from disks wiped in this manner. Unless you've seriously honked off the NSA, however, these should provide sufficient protection for most uses.
Overwriting once is not enough and even 35 times may not be enough.
Check this out
CrazyLegs
"Pork!!" said the Fish, and we all laughed.
Banking isn't the only area where this happens. I run a computer recycling biz on the sidelines to donate computers to needy organizations/kids and I have had government agencies give me computers fully loaded with super confidential information..like criminal records, medical histories, psychological profiles, login/passwords for government agencies, the list goes on and on. This is on the state level I have to say but sheesh. At least the federal government usually has the sense to pull the hard drives and erase them the good old fashioned way..with a sledge hammer.
0x09F911029D74E35BD84156C5635688C0